Slashdot Mirror
CNN On Story on GnuPG 1.0
Dan Schleifer writes "Good to see that main-stream media has picked up on the release of GnuPG 1.0, and run a story on it. This is an especially GoodThing(tm) as, it's not just free software, but free encryption software that says: 'Haha, you silly little export regulations...' " Several nitpicky errors that I'm most of you will notice, but all in all great to seen the mainstream reporting on this, and starting to hit the issue of
privacy exportation, if only skimming the surface.
It makes it unreasonable for normal people to aquire and install crypto. You have to download it from off shore, then patch it into your environment.
Like they say...
Crypto is used by human rights groups. It is despised by the US Government. Draw your own conclusion.
In my book, Civil servants using patent lies to justify the destruction of the Constitution isn't just a breach of Oath, it's treason. And, every judge, congress person, and president that allows it to continue is a co-conspirator. Treason, you say? Well, there is a legal process for striking a Constitutional right like free speech. Failing to use that process suggests the powers that be are working for some other country; they clearly have an intent to defeat those of us that live under said Constitution; and they are US citizens. That is the very definition.
They're WAY past folly.
Yes, the half they got write was the "GNU" half. The GNU Project's goal was (and is) a completely free UNIX-like operating system, which they named the GNU OS (or just plain GNU). Currently, plugging the Linux kernel into this (mostly completed) OS provides you with a mostly functional OS known as GNU/Linux.
10 PRINT CHR$(205.5+RND(1)); : GOTO 10
Interesting.. The second paragraph in the article begins with "The privacy-protection program, which is available now". That puzzled me for a second -- of course it's available now if it's announced! Only five seconds later did I realize how much used I became to our world, where software is announced when it's available, and announcements are not fluff and vapor just to outrun the competition... Funny how CNN is talking in traditional terms which sound so strange here.
Hopefully someone ingenious person will integrate GnuPG into Mozilla's email client. Hopefully that would encourage other email clients to adopt the integration and create wide spread use of signed email.
Joseph Elwell.
Also, there is still a great deal of debate over the entire Linux vs. GNU/Linux thing, I personally go with Linux but that's just me. Actually had they replaced Linux with Hurd it would have been entirely accurate.
-matt
I really hate to shatter your illusion but in times of national crisis the government can suspend ALL of your constitutional rights. Look at what happened to Japanese Americans during WWII. Most of them on the west coast were put into concentration camps, oops, I forgot, the history books leave that detail out. Also, Congress once did prevent a news paper (I forget which) from printing for a day because it had an article that could be harmful to national security or some such drivel. Or martial law, that's also unconstitutional, but in times of "national crisis" the government will suspend your rights for "the good of the nation."
-matt
Look at programs like "zero tolerance" for an example of the government trampling over people's rights. Under zero tolerance the government could arrest someone, confiscate ALL of the property, and sell that property, on the SUSPICION of you being a drug dealer. That's right, no trial, no rights, go directly to jail do not pass go, just because an ex-girl/boyfriend made an anonymous call to the police telling them you were dealing crack. Scary ain't it?
-matt
Lets say I encrypt all of my emails and on in a given week I send 100. 99 of these emails are along the lines of "happy birthday" or "can we meet friday by the new, expensive, super-trendy coffee shop". 1 is "I'm going to rob the bank in 2 days". Now lets pretend that the government has some kick ass crypto cracking computers and they can decrypt one of my emails a day and that they pick emails at random to decrypt. Lets say that that they get really lucky and pick the 1 bad email, out of the 99 good emails on the 25th try. Jackpot, they found out I'm going to rob a bank, oh wait, it's 23 days after the bank was robbed, oh well, they know who did it atleast, but wait, in those 23 days I made arangements to fly to some country that has no extridition treaties with the US.
Basically my point is that the government can be as suspicious of me as they want to be, it makes no difference in the end so I doubt that they'd bother trying. Also, people write letters on post cards, but most are in envelopes and they'd be extremely pissed if the envelope got delivered and it had been opened. It doesn't matter that it was just a letter saying "happy birthday."
-matt
Well that shouldn't be too hard. ;-)
"We must ensure that our country remains the technological leader of the universe in order to reserve the rightful place in the hierarch of mankind that our children deserve. Therefore, I submit to this distinguished body, that we must dis-allow the importation of any encryption technology onto our hallowed American soil that would seek to undermine the very moral and ethical fabric of our socienty and force our children to submit to functioning on the same pathetic level as the children of all the other nations on this Earth!"
(to be read in the monotone drawl of your favorite clueless bible-belt Senator).
...for "newbies" to encryption, that is?
I'm really pleased to see GnuPG getting attention -- it deserves it. After using PGP for a while now, and reading all about various encryption algorithms this afternoon, I'm feeling pretty pumped about protecting my personal privacy.
That said, PGP & GnuPG are only useful if more people start to use the software.
So, with that in mind:
Does anybody know where there is a simple explanation of how encryption works? Something that you could show your non-geek friends, or, even (gasp) your Mom, and have them understand the basics?
Getting friends and family on email is a hurdle I've basically crossed. Now I'd like to do the same with email encryption. [ In fact, I may write such a "newbie encryption" document myself, but may as well check to see if something already exists. ]
The Right Thing (tm) to do would be to have the mail client check the first time it tried to send mail to an address to see if that person had a key (assuming we set everyone up to use the same key-server network). Then automatically encode it and send the message to them. Sure have a checkbox to turn it off, or to only do it to people you explicitly tell it to. But the whole action (including getting the key) should be as invisible as possible to the user.
On the receiving end, when you receive encrypted mail from someone, your program should automatically go out to your HD (ask for password of course) and run GPG/PGP on it and show it to you unencrypted. Maybe just putting an encrypted icon in the status bar or wherever to tell you the mail was encrypted.
I'm waiting for this kind of functionality in a mail client personally. I think this would be a reasonable drop in replacement for regular email. I know I would use it, maybe someone could add this as a plugin or something to mozilla mail.
Well, it still has a few HURDles to pass.
I see that GPG runs under the Free Software Foundation's distribution of Linux, alternately called "Debian" or "GNU/Linux". Does it also support other Linux distributions?
-russ
Don't piss off The Angry Economist
An easy description of what encryption and signing (don't forget signing, its an important concept) do can be provided by offering analogies to postal mail and signing of contracts.
However... the actual how and why of encryption and signing is not something that will easily fit into someone's head. The basic problem is that while its obvious to the lay person exactly how an envolope protects their letters from casual examination, understanding how encryption protects their documents either requires that they take some things on faith or that they understand the math. There is no physicality to the protection, nothing that can be seen, touched or obviously understood.
You can go a certain distance with the postulate that "some mathmatical functions are easier to do in one direction than the other" and from that get the basics of cryptography, both signing and encryption, but again, the layperson has to either understand why the postulate is true, or take it on faith. Even so, the simplest explanations leave out a lot of important details (leaving the explainee not knowing how to distinguish between good crypto and bad crypto, and thus giving them more stuff to take on faith). One of the most concise set of basics is in Schneier's E-Mail Security which goes over the juicy bits in chapters 1-5.
Jherico
What can the average user can do to ensure his security? "Nothing, you're screwed"
That's a part of the SSH2 package.
That's fine if you want to use SSH2. SSH2 has a very restrictive license. Its my understanding that SSH2 does not have as great a install base as SSH1 because of this. I've also seen some grumblings about performance - but nothing solid.
The GNU Project, based in Boston, Massachusetts, was launched in 1984 to develop a free Unix-like operating system, called GNU/Linux.
Oh well, they got it half right.
George
XFMail has support for it now (well, a recent version, and everything should be current soon). Please consult http://xfmail.slappy.org for more info. :)
"Hope for the best, but prepare for the worst."
Exporting a crypto-enabling API without the strong crypto is just as illegal as exporting the strong crypto itself. Therefore what we need now is a mailer developed outside the US. I can envision a flood of other crypto-enabled software that US programmers won't be able to develop in the States because of the export regulations.
I'm trying to teach myself to set people on fire with my mind... Is it hot in here?
We don't because the US Government raises the spectre of "Criminals, terrorists and pedophiles" (Oh my!) Well that's just fine, until you start to wonder, who decides what makes a criminal? In China I could be arrested for sending a mail talking about how my wife was forced to be sterilized after our first child. Suspecting that everyone is a criminal and reading their mail to make sure they're being good little citizens may make sense if you're Chinese, it should never make sense here. In a decade or two, this very message might be considered "subversive" by the US Government and I might be visited in the middle of the night and shot in the back of the head because I don't follow the sheep-like inclinations of 90% of the public.
We should be demanding severe reforms in the privacy and cryptography arena. We should also be letting candidates know that we consider this to be a vital issue, one which will gain our lose our votes in the next election. We should not be tolerating the current status quo. We should never let it be assumed that a person is guilty until proven innocent.
I'm trying to teach myself to set people on fire with my mind... Is it hot in here?
Won't.. Linux.. be pissed? Pardon, but I seem to be a bit confused. Of course, while it is true that it would be a more technically accurate assertation to make if one said that the Free Software Foundation was based in Boston, Massacusetts than the GNU Project (although the two are practically synonymous, there are a few key differences).. or perhaps that the GNU Project was launched to accomplish a number of goals, of which releasing a free operating system was only the first. Of course, anyone who was interested could easily pick up all of this information at the GNU Project's Web site. But then, the media never has been known for doing their research, eh? I once read an article in a local newspaper that talking about Web design and mentioned HTML as being a programming language.
Other than that, the statement remarked upon by the original poster is mostly accurate. After all, the OS that the GNU Project eventually came up with was called GNU/Linux. Many people (mostly the media and the people who believe them) think that when one says "Linux kernel" that what is really meant by that statement is "the kernel for Linux" when the truth of the matter is that Linux is the name of the kernel used in the GNU OS. Therefore, as Richard Stallman states (and the Debian distribution respects), it is more appropriately referred to as GNU/Linux. Richard wants to have another GNU OS using Hurd as the kernel, but there's not too much development in that area from what I know.
I guess what originally drew me to comment on this post was simply.. how can a kernel for an OS get pissed off at anything? I would love to see posts that are a little more specific. Vague comments without a lot of backing tend to be.. well, vague. Not to mention annoying.
By the way, no, I'm not trying to detract from the work of Linus Torvalds. His is just as important as many (well, more than most, actually), although Richard Stallman is rarely given the credit he truly deserves.
~ Kish
Pardon this excessively opinionated foray further in the realms of off-topic discussion, but.. Well, let me try to get this straight.. What is the perfect example of the Internet community proving it's world wide (well, beside the fact that the World Wide Web isn't just a funny misnomer), GPG or snubbing your nose at America? Personally, I think snubbing your nose at a pair of continents (which are actually north and south, rather than one single land mass.. sort of) is really silly, but hey.
I'm pretty sure the original poster meant the United States government, but then again, I'm also pretty sure that they're rather confused and have no idea what they are talking about. At any rate, this sure is some serious flamebait. Don't get me wrong, even though I'm a United States citizen I have a number of issues with my country's government, and don't believe us or our country is necessarily all that better than those of other parts of the world. However, I can't agree with the idea that a community can prove itself as being world wide (which seems to me to mean that it excludes no one) by excluding a certain group (namely the United States).
National boundaries mean a lot. More than the original poster can apparently imagine. A lot of us would love to live in a better world, but being a practical realist as well as a dreamer, I can certainly attest to the fact that ignoring cold, harsh reality is quite bad for your health. Besides, the United States stands for freedom. There are a few corruptive influences in our country, but it is that way with any society. I don't like those elements of our society, but unless you can claim yours to be perfect, I don't think that you have room to talk. There are certainly much worse places in the world to live. I like what the United States as a whole stands for. And apparently a number of its opponents don't care for them as much as I do. Such as the idea that you should cast off the yolks of oppression and ignorance? Silly me.
~ Kish
How about an open-source keyserver project. Make the code needed to take advantage of the keyserver available to everyone and hopefully we would have a bunch of encryption/keyserver-ready mail programs in no time. Keys should be associated primarly with email-addresses and everyone could register their own keys, with email confirmation to that specific email-address of course. This could really boost the use of encryption.
An ideal model would be that when i have say pine and pgpg installed in my system, pine would automatically offer the option of encrypting the message(autodetect the presence of an encryption program). Signing the message with my own private key would of course also be automatic. When you receive an encrypted message, your mail reader would automatically attempt to decrypt it with your private key.
Of course there are some securite implications involved with automating the use of encryption keys but as long as your account/files aren't compromised these shouldn't really be a problem.
Sure. Some of what I'll say is kinda pulled from what I read in a PGP release many moons ago.
You don't write letters to people on postcards, do you? No. Why? Anyone can read what's on the postcard. If you want to write a private letter to someone, you write it on a piece of paper and put it in an envelope. You may even use a security envelope so you can't see what's inside the envelope.
Encryption is (in one sense) the envelope. It makes sure that no casual reader can see what the contents are. It may be credit card information, or it may be happy birthday wishes. It doesn't matter.
Encryption (as PGP/GPG uses) also provides authentication. It makes sure that when you get a letter from a friend, it really came from them and not someone who happened to break into Hotmail and fake e-mail.
Side note: Hrm. This could be a good way at advertising GPG (Hotmail cracked again? Don't worry, GPG keeps you safe!)
-Mark
Look on the GnuPG web page. There are links to a number of mail clients with some level of support.
Personally, I prefer mutt.
First off, you're parroting what the original poster said, i.e. that a big enough beowulf cluster can break the encryption, but moving it further offtopic by saying a big enough cluster can do anything.
Second, you're dead wrong. Cryptography is based on functions that are easier to do in one direction than the other. Easier by many many orders of magnitude. That means that a computer will always be encrypt a message to such a degree that were all the matter in the entire solar system turned into a huge cluster of computers, it would not be able to break the encryption with a brute force attack. You're home computer can do this RIGHT NOW. So while beowulf clusters are neat and all, don't ascribe magical powers to them. Its a sign of linux zealotry and that's just as bad as any other kind (*cough* M$ zealotry *cough*).
Note that I did however only talk about brute force attacks. There is always the chance that a new algorithm or new kind of technology (read quantum computing) will be found that will render a cryptography function as easy in one direction as in the other.
Jherico
Jherico
What can the average user can do to ensure his security? "Nothing, you're screwed"
It is a great thing that the mainstream media is embracing GNU projects, but I thing that forcing them (the errant journalists) to read a breif 'GNU/FSF/Linux primer' before publication would be a good idea.
A note to Stallman: Take a Valium, wash it down with a few shots of Absolut, (not too much now, we don't need you dead) and sleep off the rage of the HURDs virtual media invisibility.
Linux was below the radar screens for years, and is now up in a big way. HURD may well be the next Linux..
A thought before I go.. We should embrace GPG, for not only is is a good bit of code, but it may well be our best way of fighting the current stupid encryption laws. By making sure everyone, everywhere can get their hands on it, it nullifies the need for such a law, and I hope the US government realizes this..
.sig: Now legally binding!
What's need now is an easy way for end users to use encryption in everyday life. SSH is an easy replacement for telnet and ftp (scp, that is)... GNUpg is a wonderful program, but integration into Mail clients and the the like is very important to help people actually use it...
I'd encrypt / sign all my mail if it were easier... I guess I'm way too lazy to type a message, run it through GNUpg, then replace the text in the email all by hand... I've seen some decent apps for Win32 that do nice things (e.g. adding a right click option on text to do PGP encryption / signing)...
I'd love to see more encryption being used... I know a few Linux mail clients "plan" to have support for GNUpg, but none that I know of right now do and offer enough features to be worth using....
The legislature is fully aware of the effect of their policy. They don't WANT American crypto companies to be competitive. Strong American crypto companies lead to more Americans using crypto.
As long as Americans don't bother using crypto the legislature doesn't have to take unpopular steps to control it. So they stifle the companies who make and promote crypto products and the issue comes to the public's attention as little as possible.
/* The beatings will continue until morale improves. */
God knows the legislature doesn't act on real issues, but if we can make this a PR issue, then things might actually change.
-- $SIGNATURE
Given that GnuPG is open source, which means it will be peer-reviewed with eyeballs from all over the world, I wonder what would happen to its export status if the maintainers received and applied even one bug fix or ehancement derived from a USofA based reviewer/user.
This is a perfect example of GNU and the open source community. We provide free alternatives to commercial products that are available, and as an added bonus, it has no export restrictions! Why is it that free software written by hackers in their basements almost always better than something you would pay for? It all comes down to money... people are rushed to release their programs, and try to patch it together from others' code to try and save time. Corporate giants (primarily Microsoft) have taken the art out of programming. Computer programming is indeed an art, not a money-making scheme.
Let's keep it that way.
USA is hitting its own software companies with this regulations. This is good for everybody else, but it will cost the USA a LOT.
Very soon, US companies will start feeling the pressure from all over the place. For one thing, a german company (SuSe) can (and does) put things like PGP, ssh & co. in its distribution, which an US-based company (redhat, Caldera) can not and does not.
Now, adding ssh is just a matter of downloading the srpm package, compiling it and doing an RPM -i, but... Try adding ssh-agent imediately after login for all of your users in a consistent way and you will find out that this task is non-trivial. Then you have to make your PGP (or GPG) work with pine, or whatever you or any of your users use and so on. It is annoying and takes your precious time away.
It is just the same kind of shit as those I used to have with my (german) keyboard not getting properly configured, xdm coming with an completely open configuration file, and simmilar, with ONE major exception - RedHat cannot fix it in the "next version", because it is not even part of the distribution. SuSe can.
By the way, upgrading from RH-5.1 to RH-6.0 has killed my own solution to above mentioned problem of integrationg the ssh-agent in the login-process, so I had to do it again. And I hate repetitious jobs .-).
Do I see a problem for RedHat here?
I'm suprised that people haven't been touting the "free speech" end of GPG as well as the "free beer" when it comes to crypto algorithms. Cryptography that doesn't cost anything is good, but for the truly security-conscious individual i think that we need to stress the fact that he can check the source code for shabby implementations of algorithms (none that i see in GPG) and even blatant backdoors. I've seen people use closed-source crypto products, and I wonder when someone is going to discover a backdoor that was put there by some government. Price and politics are good, but security should be the selling point of GPG.
Andrew G. Feinberg
On the other end, you find people who distrust anything, so give up on encryption altogether. Their logic is, since "hackers" (their term, not mine! Lay off the stones!) can get into anything, there's no point in using convoluted methods to protect their information. That's the same kind of people who refused to use automatic tellers for years because no human being was handling the money.
What's important to put into the public's mind is some of the following points:
Encryption is the practice by which you make it impossible for anyone but the right people to read a message of any kind, be it a credit card number or an email message.
Cryptography is important for everyone, not just spies of military generals. Just because an information is not dangerous to you or someone else if it is revealed doesn't mean it's not private. Do you want love messages between you and your boyfriend/girlfriend/wife/husband to be read by anyone?
It's easy to apply good cryptography to almost anything, unless the nature of your data is highly secret (and we're not talking surprise party plans.) All it takes is a little extra "effort", and you can have secure messages.
No, the Government won't start spying on you because you're using encryption. Many people do it, and they're not terrorists or Russian spies.
Don't trust any company who says they use encrytion. There are two types of encryption: encryption that requires minimal effort to unravel (like tearing open an enveloppe) or encryption that requires some time and good cracking skills (like cracking a safe). If you want good encryption, look for second opinions on the Web, or from cryptography-savvy friends or colleagues.
Good encryption exists nowadays, and some encryption standards make it unlikely that your data will be exposed unless a lot of money and effort is put into it. Be wary of systems that claim they are unbreakable, but don't think your data is automatically vulnerable to any 13 year-old hacker with a modem. Yes, your data can be protected by cryptography.
Good security also means good practice. Your data will not be safe if you use simple passwords, like the name of your dog or your birthdate. Try using unpredictable passwords when you need to. If possible, use numbers and mixed case when choosing your passwords. NEVER use your name.
"There is no surer way to ruin a good discussion than to contaminate it with the facts."